CVE-2012-1675 Oracle Database TNS Poison 0Day Video Demonstration

Timeline :

Vulnerability discovered by Joxean Koret in 2008
Vulberability reported to the vendor by Joxean Koret in 2008
Public release of the vulnerability in Oracle CPU by the vendor the 2012-04-17
Details and PoC of the vulnerability released by Joxean Koret the 2012-04-18
Fake patching of the vulnerability discovered by Joxean Koret the 2012-04-26

PoC provided by :

Joxean Koret

Reference(s) :

Oracle CPU of April 2012
Joxean Koret details and PoC
Oracle Security Alert for CVE-2012-1675

Affected version(s) :

All versions of Oracle Database

Tested with :

Oracle Database 10g Enterprise Edition Release

Description :

Usage of Joxean Koret PoC require that the database name has a length of 6 characters.

Database server characteristics :

IP :
Oracle version :
Database listener port : 1521
Database listener has no clients IPs restrictions
Database name : arcsig
Database username : arcsig
Database password : testtest

Database client characteristics :

IP :
SQL*Plus version :

tnsnames.ora” file as bellow :

(SERVICE_NAME= arcsig)

Attacker characteristics :

IP :
Usage of PoC provided by Joxean Koret

Demonstration :

PoC validation phase

On database server :

ps faux
netstat -tan

On database client :

sqlplus -v
cat tnsnames.ora
sqlplus [email protected]

PoC exploitation phase

On attacker :

Start the MITM proxy, how will intercept the communication between the client and the database :

sudo python -l -p 1521 -r -P 1521

Start the vulnerability exploitation :

python 1521 arcsig 1521

On the database client :

Connect with SQL*Plus
sqlplus [email protected]

You can see that the communication are intercepted by the proxy.